Archi Forum

Archi => General Archi Discussion => Topic started by: bebran on January 04, 2018, 06:17:53 AM

Title: Tracking GDPR compliance
Post by: bebran on January 04, 2018, 06:17:53 AM
I've put my neck out and have been pushing ArchiMate (using Archi) as a common notation for describing my companies information landscape, and lately become heavily involved in GDPR assessments and identification of compliance issues. Bringing the structured ArchiMate approach into the GDPR program, has been quite an eye opener, where concepts have been completely mixed up and processes, storage systems, interfaces and applications are generally 'called' system/application - guess it's a common problem when definitions are loosely set by the legal department.

To keep it fairly simple, we are now defining a number of 'scenarios', where a process [Business Process] acts on PII (Personal Identifiable Information) [Business Object / Data Object] stored on a storage system [Technology Service] using an application [Application Component]. Some scenarios will not contain all components, but will always have a Data Object combined with one or more of the other components.
Modelling the scenarios seems like a doable task, as we already have all applications (+800 where approx 15 are in focus) and data objects (9 PII categories realised by approx 50 data objects) loaded - the main challenge and finding is the lack of process descriptions.

And now to the actual problem. Each scenario will manually be assessed by 8-10 key questions which should indicate compliance of the 99 GDPR articles and the outcome from each scenario/question will be registered in a big matrix. For this we will need to extract the scenarios to Excel, where the first four columns holds the above components and the following 8-10 columns will hold the questions/answers (likely to be a simple Compliant [Y/N]).
Could look something like this:






ApplicationProcessStorageInformationQ1Q2Qn
Appl AProc AStor AInf AYYN
Appl A-Stor AInf BYYN
Appl BProc BStor AInf CYYY
-Proc B-Inf AYNN

Any suggestions?
Title: Re: Tracking GDPR compliance
Post by: murraygc on January 16, 2018, 00:37:42 AM
Could you do something like use the database connector, and create a separate table for tracking that information, linked to the scenarios in the database section? Or do you want to track it within the model kind of thing?